Chapter 3 The Proposed Model for Risk Assessment
3.4 General Solution Algorithm
Our process of risk assessment is now almost complete, all that remains is to describe the calculating procedures with the steps in the analysis of wireless networks. In the following, we make some assumptions and then design a solution algorithm for risk assessment of wireless networks.
(1) We construct an m × n matrix to represent the configurations that the attack types utilize to start the attack. The rows denote the configurations and the columns denote the attack types.
The matrix C is configuration; whereas the jth attack type doesn’t need the ith configuration.
(2) Suppose that the experts define a fuzzy linguistic representation vectors MF = [mf1, mf2, …, mfk] of k elements, where each element includes four membership values.
(3) Suppose that the experts define a fuzzy risk levels vector L = [l1, l2,…, lm] of m elements of the configurations, where each element includes four membership values.
(4) Suppose that there exists a vector Rv = [rv1, rv2,…, rvk], where the ith element denotes an n × qi matrix. The rows represent the attack types and the columns represent the risk factors of each rule that defined by the experts.
(5) Suppose that there exists a vector Bv = [bv1, bv2,…, bvk], where each element denotes a vector which means the weights of the risk factors that defined by experts. And the size of the ith element is qi.
The general solution algorithm is shown as follows:
Algorithm 3.1 Generalized Version for Risk Value Calculation Input: A configuration file, config_file;
A m × n matrix C;
A risk level vector L of configurations of size m;
A vector RV of size r, of which the ith element is an n × qi matrix A vector BV of size r; of which the ith element is a vector of size qi
Output: Risk value
Risk-Value-Calculate(config_file, C, L, RV, BV) 1 Read configurations from config_file
2 Let W be an array of size n
3 Set the weight value of each element of W according to the configurations and user’s rules
36 use the risk value of each rule, Rr[i ], to calculate the total risk value, risk 37 return risk
Suppose that experts define three rules, probability before being attacked (ps), impact severity after being attacked (is) and system uncontrollability after being attacked (us), to determine the total risk of a system. There are w risk factors of probability, x risk factors of impact severity, and y risk factors of uncontrollability. If there are n attack types of assessment architecture, then the proposed approach has the following property.
Property: if an attacker obtains more information of the environment E1 than that of the environment E2, then the risk existing in E1 is larger than that in E2.
Proof.
If an attacker obtains more configurations of the wireless environment E1 than that of E2, according to experts’ experience, E1’s rating vector, α, is indeed larger than E2’s rating vector, α’, where
1, 2, , n
α= ⎡⎣α α α ⎤⎦T ,α'= ⎡⎣α α' , ' , , '1 2 αn⎤⎦T.
Assume that without loss of generality that αi > αi’
and all the other rating elements in α and
α’, are the same, i.e. αj = αj’ ∀j = 1, 2, 3, … ,n and j ≠ i.
By the definitions and algorithm steps introduced in Chapter 3, three judge matrixes, Rp, Ri, and Ru, are obtained by experts’ experiences as well as the corresponding vectors, bp, bi
and bu, which represent weights of risk factors of the three rules.
11 12 1
u ln1 1
Given the above vectors and matrixes, in the environment E1, ps (the probability of suffering attacked), is (the impact severity after being attacked) and cs (the uncontrollability after being attacked) are determined.
1 1
Similarly, the three corresponding values of the environment E2 are determined.
p
Finally, by Eq. (3), we can get R and R’, the total risks existing in the environment E1 and E2, respectively.
R=1-(1-ps)* (1-is)* (1-us), and R’=1-(1-ps’)*(1-is’)* (1-us’).
i i
α α> '
∵ and all the other rating elements in α and α’ are the same,
s s s s
p p ' , i i '
∴ > > andus >u'sand thus derives that R>R’.
Hence, it is proved that the more configurations attackers acquire the more risk exists in the wireless environment.
Chapter 4 Examples
In this chapter, two graph-based risk assessment examples with different configurations of wireless networks are given as a demonstration of the application of the proposed method in realistic scenarios. The total risk value between an access point and a wireless station is calculated in section 4.1. Section 4.2 extends the first example and introduces how to calculate the total risk value between two wireless stations.
4.1 Calculating Risk Value between AP and Station
In this section, we first introduce the wireless environment between an assess point and a wireless station in this example. In order to accomplish our purpose, the AHP rule depiction and the fuzzy linguistic rule depiction will be presented in order to compute the total risk value. Finally, the result will be calculated according to these assessment rules and shown in attack graph.
4.1.1 The Environment of Wireless Network
According to [9]-[23], each device should contain relevant information in configurations to help administrators analyze the security robustness of wireless networks. Hence consider a wireless network example shown in Fig. 7. There are two wireless devices, an access point (AP1) and a wireless station (STA1), STA1 has already connected with AP1. Suppose that the configurations of these two devices have been detected, and we want to calculate the total risk value between them. As shown, the configurations of the two devices can be utilized to analyze the risk of the wireless network.
Fig. 7.Wireless Network Example (AP and station)
4.1.2 Determination of the Analysis Rules
From the security risk analysis [22], the analysis rule must be constructed for risk value computation. Therefore, the AHP rules and fuzzy linguistic rule should be constructed for our risk computation according to Fig. 5. The procedures of rules construction are decomposed as follows:
Step 1. Determine the Risk Factors of Each Rule — From Fig. 5, the rules of the second
layer are constructed as probability, impact severity, and uncontrollability. According to the AHP method [27]-[28], it is necessary to design the risk factors, and risk weight of each rule.
Because Zhao et al.[27] have designed the risk factors by the experts, thus we use the same risk factors as theirs. Suppose the risk factor set is V = {V1, V2, …, Vm}, then the rule factors of each rule is shown in Table 7.
Table 7. The Risk Factors of Each Rule
Rule
Factor
Probability Impact severity Uncontrollability
V1 Negligible Insignificant Controllable V2 Very low Monitor Controllable mainly
V3 Low Significant Uncontrollable
V4 Medium Serious Undefined
V5 High Critical Undefined
V6 Very high Undefined Undefined V7 Extreme Undefined Undefined
Step 2. Determine the Risk Degrees and Risk Weight — According to above discussion,
we should determine the risk weight of each risk factor of each rule. Of course, the weights satisfy uniform condition. Furthermore, the risk degree between each risk factor in the layer 2 and each attack type in the layer 3 should also be decided. Suppose the experts make assessment tables of the probability (B1), impact severity (B2), and uncontrollability (B3). The tables which include the risk weights and the risk degrees are shown in Table 8, Table 9, and Table 10.
Table 8. Risk Degree and Risk Weight of Probability
Attack type
Table 9. Risk Degree and Risk Weight of Impact Severity
Table 10. Risk Degree and Risk Weight of Uncontrollability
Attack type
Step 3. Fuzzy Linguistic Terms Representation — Since the configurations of wireless
environment are represented by fuzzy linguistics, we apply night-member linguistic terms which are expressed in positive trapezoidal sets to deal with the weights and the risk levels of configurations, as shown in Table 11.
Table 11. A Nine-Member Linguistic Term Set
Linguistic Term Trapezoidal Fuzzy Numbers Absolute low (AL) (0.00, 0.00, 0.00, 0.00)
Step 4. Design Rules for Weights of the Configurations — After deciding the linguistic
terms representation, then the fuzzy analysis rules can be designed according to Table 11. We design three rules for weights of configurations. The first fuzzy linguistic rule, shown in Table 12, is to express the capability on access levels of attackers. Table 13 shows the second rule that it uses linguistic terms to express the running service whether it has encrypted for data transmission or not.
Table 12. Linguistic Term for Access Level of Attacker
Access level of attackers Linguistic term
Root AH User FH Guest FL None AL
Table 13. Linguistic Term for Data Encryption of Running Service
Data encryption of running service Linguistic term None encryption (plain text) VH
Encryption (cipher text) M
Undetected VL
As for the third rule, we focus on safety and acquirable probability of the other configurations that can be obtained from wireless packets. According to IEEE standards [37], we can classify configurations themselves through the safety of wireless encrypted types; and the acquirable probabilities of configurations are classified through encrypted types of access points. We group the safety and the acquirable probability into four levels, as shown in Table 14 and Table 15, respectively. By applying Table 14 and Table 15, the third fuzzy linguistic rule can be subjectively designed and shown in Table 16. If attackers can not get the
information of configuration, the weight was set absolute low (AL). It means the risk is absolute low; otherwise, the weight of configuration is decided according to the three rules.
Table 14. Safety of Encrypted Type
Encrypted type of configurations Safety None encryption None
WEP Low
WPA-PSK Medium
Others High
Table 15. Probability of Gather Configurations
Encrypted type of access point Acquirable probabilities of configurations High: D1, D2, D3, D5, D6, D7, D8
Step 5. Design Rule for Risk Levels of the Configurations — As former discussion from
Table 1 to Table 6, suppose that the risk levels of configurations are resolved according to the
number of times that each configuration is applied on wireless attacks by attackers, as shown in Table 17.
Table 16. Linguistic Term for Safety and Acquirable Probability of Configuration
Acquirable probability of configurations Encrypted type of configurations
High Medium Low Impossible None (None encryption) VH H FH M
Low (WEP) H FH M FL
Medium (WPA-PSK) FH M FL L High (Others) M FL L VL
Table 17. Linguistic Term for Risk Level of Configuration
Applied time of configuration Linguistic term
7 VH 6 H 5 FH 4 M 3 FL 2 L 1 VL
4.1.3 Algorithm
After determining the analysis rules, the algorithm in this example can be designed to explain how to calculate the risk value between an access point and a station. We should take three assumptions in order to finish the algorithm.
(1) Suppose that there exists three-analysis rule of probability, impact severity, and uncontrollability. There are q risk factors of the probability, r risk factors of impact severity, and s risk factors of uncontrollability. The experts give risk degree between each rule and each attack type, then the matrixes Rp, Ri, and Ru can be constructed where the rows denote
the attack types and the columns denote the risk factors. They are [b1, b2,…, bt].The vectors represent the weights of the risk factors.
(3) Suppose that there exists a vector W = [w1, w2, …, wk] of k elements, where each element includes four membership values to describe the weight of each configuration.
From Fig. 5, there are 6 attack types and 3 rules where q is equal to 7, r is equal to 5 and s is equal to 3 according to Table 7. In this example, there are 10 configurations consisted of AP1and STA1. The fuzzy linguistic representation vectors MF = [AL, VL, L, FL, M, FH, H, VH, AH] is constructed according to Table 11, and then we can modify the algorithm 3.1 and generate two algorithms. The first algorithm describes how to obtain the total risk value; the other one represents weights of the configurations as follows.
Algorithm 4.1 Risk Value Calculation Input: A configuration file, config_file;
A 15 × 6 matrix C;
A risk level vector L of configurations of size 15;
A 6 × 7 matrix Rp;
5 sum ← 0
14 ► Modify judge matrix Rp and obtain quantitative coefficient vector qp
15 Let cp be a vector of size 6
25 ► Modify judge matrix Ri and obtain quantitative coefficient vector qi
26 Let ci be a vector of size 6
36 ► Modify judge matrix Ru and obtain quantitative coefficient vector cu
37 Let cu be a vector of size 6
43 eu ← eu + (Rp[i, j ]/ F[i ]).ln (Rp[i, j ]/ F[i ])
Algorithm 4.2 Getting Weights
Input: A configuration file, config_file;
Output: An array W which stores the weight value of each configuration GET-WEIGHTS(config_file)
1 read the type of this configuration file from config_file, and then set config_file_type
2 read configurations from config_file, including ap_ssid, ap_mac_addr, ap_ip_addr, ap_channel, ap_encryption, sta1_mac_addr, sta1_ip_addr, sta1_port, sta1_access_level and sta1_running_service
3 if config_file_type = STAs
then read extra configurations from config_file, including sta2_mac_addr, sta2_ip_addr, sta2_port, sta2_access_level and sta2_running_service
allocate an array W of size 15 dynamically 1 else allocate an array W of size 10 dynamically 3 ► Get weight between access level and attack types 4 if sta1_access_level = root
5 then W[9] ← MF[9]
6 elsif sta1_access_level = user 7 then W[9] ← MF[6]
8 elsif sta1_access_level = guest 9 then W[9] ← MF[4]
10 else W[9] ← MF[1]
11 if config_file_type = STAs
19 ► Get weight between running service and attack types 19 if sta1_running_service is un-encryption
20 then W[10] ← MF[8]
21 elsif sta1_running_service is encryption 22 then W[10] ← MF[5]
23 else W[10] ← MF[2]
11 if config_file_type = STAs
24 then if sta2_running_service is un-encryption 25 then W[15] ← MF[8]
26 elsif sta2_running_service is encryption 27 then W[15] ← MF[5]
28 else W[15] ← MF[2]
29 ► Get weights between other configurations and attack types 30 if ap_encryption = NIL
31 then W[1] ← W[2] ← W[3] ←W[5] ← W[6] ← W[7] ← W[8] ←MF[8]
32 W[4] ← MF[7]
if config_file_type = STAs
then W[11] ← W[12] ← W[13] ← MF[8]
34 elsif ap_encryption = WEP
35 then W[1] ← W[2] ← W[7] ← MF[8]
36 W[3] ← W[4] ← W[5] ← W[6] ← W[8] ← MF[7]
if config_file_type = STAs then W[12] ← MF[8]
W[11] ← W[13] ← MF[7]
37 elsif ap_encryption = WPA-PSK
38 then W[1] ← W[2] ← W[7] ← MF[8]
39 W[4] ← MF[7]
40 W[3] ←W[5] ← W[6] ← W[8] ← MF[4]
if config_file_type = STAs then W[12] ← MF[7]
W[11] ← W[13]← MF[4]
41 else W[1] ← W[2] ← W[7] ← MF[8]
42 W[4] ← MF[7]
43 W[3] ←W[5] ← W[6] ← W[8] ← MF[2]
if config_file_type = STAs then W[12] ← MF[7
W[11] ← W[13]← MF[2]
44 ► Set weight of configuration to MF[1] if the configuration is not available 45 if ap_ssid = NIL
11 if config_file_type = STAs
61 then if sta2_ip_addr = NIL
In the following, we use the proposed risk assessment method to explain the risk assessment processes of the wireless network. The procedures are decomposed into six steps as follows:
(1) Constructing the security list table — According to the configurations of Fig. 1, we can construct linguistic security lists which include the weights and risk levels of the configurations base on Table 12, Table 13, Table 16 and Table 17, as shown in Table 18.
Table 18.Linguistic List of the Weight and the Risk Level (AP1 and STA1)
Attack type
(2) Calculating the fuzzy average set — By using FWA method and fuzzy arithmetic operation from Eq. (4) and Eqs. (6) to (9), we can obtain the average fuzzy set of each attack type:
[ ] [ ]
(3) Calculating the risk rating — By applying quantitative method of Eq. (10), the risk rating of RC 1is
(4) Constructing the judge matrixes — After calculating the risk ratings, each risk rating of attack types should execute multiplication to generate judge matrixes. From the rules of B1,B2, and B3, the judge matrixes Rp, Ri, and Ru can be computed according to Table 8, Table 9 and Table 10. They are:
0.000, 0.000, 0.000, 0.366, 0.274, 0.183, 0.091 0.000, 0.000, 0.000, 0.088, 0.177, 0.354, 0.265 0.000, 0.000, 0.000, 0.000, 0.449, 0.359, 0.090 0.000, 0.000, 0.000, 0.000, 0.088, 0.441, 0.353 0.000, 0.000, 0.000, 0.000, 0.091, 0.3
Rp =
62, 0.453 0.087, 0.087, 0.087, 0.175, 0.262, 0.175, 0.000
⎡ ⎤
0.000, 0.274, 0.366, 0.274, 0.000 0.088, 0.088, 0.088, 0.265, 0.354 0.090, 0.000, 0.359, 0.269, 0.179 0.000, 0.000, 0.088, 0.176, 0.617 0.000, 0.000, 0.000, 0.362, 0.544 0.000, 0.087, 0.175, 0.437, 0.175 Ri
Where each row means an attack type we defined in Fig. 5, and each column means a risk factor of the rules we defined from Table 7.
(5) Calculating the quantitative coefficients and normalized weights — From Table 8, the entropies of attack types of Rp can be calculated by applying Eq. (13), as follows:
1 -1 ln 7 (0.4ln 0.4+0.3ln 0.3+0.2ln 0.2+0.1ln 0.1)=0.658 ep =
2 -1 ln 7 (0.1ln 0.1+0.2ln 0.2+0.4ln 0.4+0.3ln 0.3)=0.658 ep =
3 -1 ln 7 (0.5ln 0.5+0.4ln 0.4+0.1ln 0.1)=0.485 ep =
4 -1 ln 7 (0.1ln 0.1+0.5ln 0.5+0.4ln 0.4)=0.485 ep =
5 -1 ln 7 (0.091ln 0.091+0.362ln 0.362+0.453ln 0.453)=0.485 ep =
6 -1 ln 7 (3 (0.1ln0.1)+2 (0.2ln0.2)+0.3ln0.3)=0.871
ep = × ×
Then the weight vectors of attack types of each rule can be calculated by the Eqs. (12) and (14):
(0.145, 0.145, 0.219, 0.219, 0.219, 0.055)
(6) Calculating the total risk value — From Table 8 to Table 10, we can get the weight vectors of risk factors, that is,
(1/ 49, 3 / 49, 5 / 49, 7 / 49, 9 / 49, 11/ 49, 13 / 49)
By applying Eq. (5), the risk value of each rule is calculates as follows:
= 0.199
Finally, the total risk value between the AP1 and STA1 can be calculated by the Eq. (3)
- - -
=0.580
s s s s s s s s s s s s
R= p + +c u p c p u c u p c u
4.1.5 Generating Attack Graph
Table 19. Risk Level of Total Risk Value
Total risk value (R) Risk level 0≤ <R 0.3 Low (L)
According to the total risk value, we defined the risk levels, shown in Table 19, to express the risk level of the wireless environment. In order to clearly represent the risk value
between the AP and the station via attack graph, the connection relation, risk value, and risk level can be represented by a risk set. The risk set consists of four elements which are denoted as (AP_device, STA_device, Rsk_value, Rsk_level). AP_device represents an access point which is connected with a wireless station. STA_device represents a wireless station which connectes to an access point. Rsk_value represents the total risk value between the access point and the station. Rsk_level is regarded as the danger between two wireless devices according to Table 19. Therefore, graph drawing can be performed via Graphviz [25] and shown in Fig. 8 where the nodes and the edges are the wireless devices and the risk set between two devices, respectively.
Fig. 8. Attack Graph with AP1 and STA1
4.2 Calculating Risk Value between Two Wireless Stations
After calculating risk value between an AP and a station from section 4.1, we can further
extend the analysis method to analyze the risk level between two stations. In this section, an extended environment of wireless network will be introduced for risk assessment.
4.2.1 The Environment of Wireless Network
Let us consider an environment of wireless network shown in Fig. 9, where the AP1 consists of two wireless stations STA1, STA2, and we want to analyze the risk between STA1 and STA2. Then the total risk value can be calculated via the configurations of the three wireless devices.
Fig. 9. Wireless Network Example (AP and two stations)
4.2.2 Determination of the Analysis Rules
The experts use the same rules to analyze a uniform assessable affair although they know that the analysis rules can be changed at any time. Once the rules are changed, the result of assessment will not be fair and objective. In order to equitably analyze the security of the wireless network, we should use the same criteria. Therefore, in this subsection, we use the same analysis rules from section 4.1.2 to analyze the wireless environment.
4.2.3 Algorithm
Because we use the same analysis rules, we should use the same algorithms to calculate the total risk value. In this example, all arguments are the same, expect the configuration file.
From Fig. 9, we can generate three configuration files among AP1, STA1, and STA2. If we want to calculate the total risk value between AP1 and STA1, the configuration file should include 10 configurations consisted of AP1 and STA1. In the same way, the second configuration file includes 10 configurations comprised AP1 and STA2 in order to calculate the total risk value between them. As for the third configuration file, it is used to calculate the total risk value between STA1 and STA2. The configurations of the three wireless devices should be considered. Therefore, the third configuration file should contain 15 configurations.
After obtaining the configuration files, the algorithm 4.2 can be used first to get the weight of each configuration, and then used algorithm 4.1 to obtain the total risk value among three wireless devices.
4.2.4 Evaluation
As former evaluation, we can obtain the total risk value between an AP and a wireless station. Thus, we do not calculate again. From Fig. 9, there are two connections, one is from AP1 to STA1, and the other is from AP1 to STA2. The result of assessment between AP1 and STA1 is 0.580, and the other result is 0.567. In the following, we use the proposed risk
assessment method to calculate the total risk value between STA1 and STA2. The procedures are decomposed as follows:
(1) Constructing the security list table — According to the configurations of Fig. 9, we can construct a linguistic security lists which includes the weights and risk levels of the configurations base on Table 12, Table 13, Table 16, and Table 17, as shown in Table 20.
Table 20. Linguistic List of the Weight and the Risk Level (AP1, STA1 and STA2)
Attack type
(2) Calculating the fuzzy average set — By using FWA method and fuzzy arithmetic operation from Eqs. (6) to (9), we can obtain the average fuzzy set of each attack type:
[ ] [ ]
(3) Calculating the risk rating — By applying quantitative method of Eq. (10), the risk rating of RC 1is
( ) ( )
(4) Constructing judge matrixes — After calculating the risk ratings, each risk rating of attack types should execute multiplication to generate judge matrixes. From the rules of B1, B2, and B3, the judge matrixes Rp, Ri, and Ru can be computed according to Table 8, Table 9, and Table 10. They are:
0.000, 0.000, 0.000, 0.364, 0.273, 0.182, 0.091 0.000, 0.000, 0.000, 0.087, 0.174, 0.348, 0.261 0.000, 0.000, 0.000, 0.000, 0.431, 0.345, 0.086 0.000, 0.000, 0.000, 0.000, 0.087, 0.435 0.349 0.000, 0.000, 0.000, 0.000, 0.081, 0.32
Rp =
6, 0.408 0.076, 0.076, 0.076, 0.151, 0.227, 0.151, 0.000
⎡ ⎤
0.000, 0.273, 0.364, 0.273, 0.000 0.087, 0.087, 0.087, 0.262, 0.349 0.086, 0.000, 0.345, 0.258, 0.173 0.000, 0.000, 0.087, 0.174, 0.610 0.000, 0.000, 0.000, 0.326, 0.489 0.000, 0.075, 0.151, 0.378, 0.151 Ri
(5) Calculating the quantitative coefficients and normalized weights — From Example 1, the entropies of attack types of Rp, Ri, and Ru have been calculated by applying Eq. (13), they are:
(0.658, 0.658, 0.485, 0.485, 0.485, 0.871) ep=
(0.677, 0.881, 0.795, 0.498, 0.418, 0.758) ei=
(0.613, 0.936, 0.613, 0.817, 0.858, 0.631) eu=
In the same way, the weight vectors of attack types of each rule can be calculated by the Eqs.
In the same way, the weight vectors of attack types of each rule can be calculated by the Eqs.